The FTC, 'Your Privacy Watchdog,' Does Have Some Teeth

The U.S. does not have a Department of Privacy. Consumer privacy protection rests instead on a stool with three enforcement legs: 1) Attorneys general, who are starting to think of themselves as "the Internet police," according to their national association's incoming president, Doug Gansler, who has made "Privacy in the Digital Age" his theme. 2) Class-action lawyers, who pursue lawsuits against companies when they screw up, and some of whom we might want to start calling "privacy violation chasers." 3) The Federal Trade Commission, or FTC, or, according to Peter Maass at ProPublica, "a low-tech, defensive, toothless privacy watchdog."

Maass wrote a rather long, rather damning piece published in Wired about how much the FTC, to put it bluntly, sucks. He starts off the piece by criticizing the agency for not being the first to discover that Google was circumventing Safari's privacy protections by placing a cookie on users' smartphones. They were scooped, says Maass, by "sleep-deprived" Stanford grad student Jonathan Mayer -- which isn't exactly accurate, but Mayer was the first to publicize it. Maass then moves on to the Google Wi-Spy debacle, pointing out that the FTC punted on discovering or punishing Google for sucking up information from unsecured Wi-Fi networks with its Street View cars, leaving the Europeans to do the heavy sniffing.

Maass's biggest criticism of the agency is its technology. He pooh-pooh's the FTC's mobile forensics lab -- which it uses to test smartphone apps for data leakage and pilfering -- and its Internet testing labs for looking "like a computer room in a public library or middle school," according to former FTC consultant Chris Soghoian. He also seems put-off by the fact that FTC employees have to go to those labs to do investigations that involve visits to websites with spyware and malware, rather than doing it from their office computers. (Do we really want government-network-connected computers on those sites?) He argues that they are underfunded, understaffed, and behind the times, technologically.

Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC’s privacy work stayed flat at around 50 people even though the data mining industry that it oversees has rapidly expanded; the industry now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC.

While everyone agrees the FTC could use more geeks technologists, the article was not necessarily well-received in the privacy community.

"We need to keep a balanced perspective and recognize that government and members of Congress cannot be expected to keep pace with the rapid pace of innovation," said Craig Spiezle, director of the Online Trust Alliance. (Not everyone wholeheartedly agrees there.)

"The Wired/Propublica story on FTC is wrong on a number of fronts," tweeted security researcher Ashkan Soltani. "Not a fan of this over-the-top hit piece," tweeted respected technology attorney Marcia Hoffman, of the Electronic Frontier Foundation. "Overly harsh," tweeted Christopher Wolf, a corporate privacy lawyer.

The FTC itself took to Twitter to defend itself, and released a rather lengthy public statement (available in full at the end of this post).

"The Federal Trade Commission has brought 39 cases on data security breaches, 16 19 cases alleging violations of the Children’s Online Privacy Protection Act, more than 100 cases involving spam and spyware, dozens of cases alleging violations of the Do Not Call Registry, and dozens more involving unfair or deceptive privacy practices, including cases against Google, Facebook, and Twitter," said the agency.

Part of the challenge for the FTC is that the U.S. doesn't have much in the way of privacy law to enforce. The framework for privacy here is based on company's fulfilling their promises to you (usually found in that privacy policy you never read). They say what they'll do with your data, and then they're supposed to honor that. The FTC can only go after them if what they later do is deceptive or unfair.